Overview

overview

10

Static

static

95ae8e32eb...7b.dll

windows7-x64

10

95ae8e32eb...7b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2023 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95ae8e32eb8635e7eabe14ffbfaa777b.dll

  • Size

    5.0MB

  • MD5

    95ae8e32eb8635e7eabe14ffbfaa777b

  • SHA1

    d5872c3f694a9e23c0583c4ae3e5c59eab26c021

  • SHA256

    fb648bfb485f910e065cc18778364a56be32044d1ac4729449f3cc28221b12e8

  • SHA512

    053e31bb5d469a2c4b1c5ab658d87051168c8a0b8d55d1709bcc4c11faf16fd1617263c5c30c4c9bfb5b319ead6d2712fafebc5a40888f5a6b46d1eb6030335f

  • SSDEEP

    49152:RnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1nPoBhz1aRxcSUDk36SAEdhv

Score
10/10
wannacryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\95ae8e32eb8635e7eabe14ffbfaa777b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\95ae8e32eb8635e7eabe14ffbfaa777b.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4724
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4876
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitLock.mp4v"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1496
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnblockUnpublish.dib"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4776
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:4412
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameDisable.jpg" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2384
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:1564
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3664
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameDisable.jpg" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4540
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4800
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3352

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\WINDOWS\mssecsvr.exe
      Filesize

      2.2MB

      MD5

      115b1d97402bc50dacb74ba73c7464d2

      SHA1

      799abb0d4067ec605126cd40ce52949510a60cf7

      SHA256

      a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b

      SHA512

      910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4

      Download Submit

    • C:\Windows\mssecsvr.exe
      Filesize

      2.2MB

      MD5

      115b1d97402bc50dacb74ba73c7464d2

      SHA1

      799abb0d4067ec605126cd40ce52949510a60cf7

      SHA256

      a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b

      SHA512

      910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4

      Download Submit

    • C:\Windows\mssecsvr.exe
      Filesize

      2.2MB

      MD5

      115b1d97402bc50dacb74ba73c7464d2

      SHA1

      799abb0d4067ec605126cd40ce52949510a60cf7

      SHA256

      a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b

      SHA512

      910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4

      Download Submit

    • memory/1564-137-0x00000229E8B60000-0x00000229E8B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1564-138-0x00000229E8BA0000-0x00000229E8BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1640-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4724-133-0x0000000000000000-mapping.dmp

      Download